GPG keys and instructions
GPG is the GNU Privacy Guard.
In an effort to reduce the chance of someone breaking into SourceForge (as has happened before) and quietly changing the code (which hasn't), all software source releases have GPG signatures.
To check a file, you need to get my public key (below) and the GPG signature for the file you downloaded. Assuming the key hasn't been tampered with too, GPG can check that the downloaded file is identical to the one I signed.
You only need to download the public key once, so an attacker changing the key won't be able to fool everyone (because most people will already have the good key, and they can warn the others).
You can also check the key's fingerprint against the one in my mailing list or usenet postings.
If you spot anything suspicious, let us know quickly!
Important: a correct GPG signature tells you that you have a faithful copy of the software I released. It doesn't mean the software is actually bug free, or that I'm making any guarantees about it. All it says is noone intercepted it between me and you.
There is an easy way to install software which checks the GPG signatures for you: AddApp. AddApp asks you to confirm the key's fingerprint the first time you run some software signed using it.
For more paranoid users, the next step is to check that the key hasn't been tampered with. Find one of Thomas Leonard's postings to usenet or the Mailing Lists, and look for the GPG fingerprint at the end. Compare that with the fingerprint that was displayed during the signature check.
See the GPG website for more instructions on using GPG.
Thomas Leonard's GPG key
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.7 (GNU/Linux) mQGiBD1JRcERBADIOjwNaBjmv44a3DPJeVwqrdVO6nuYF16UwKXTAh3ZZNAYecD8 a7opNf4yt3TofSKfT2bEiv/hIdAy3LGjKQg54Dou1EqhB8o90RNl5NeWmHIb82Jp bCSbAXfaEaz6MEIg0MTHBcvtAOHZbKoBuBO5b6nbokmvcyWZXJHQ9zs9dwCg4FSX cdVBExg+2iBzEzpGyK4EFrsEAKTxf2YoLGihB1HDknvlAWIfa5dBZI9c7pdbpmkW 6nZZ+SEHC9j1VSWFbB1fpA217BPaF6bmKmLoZEdmYLItriy2GEeEnbAcqd9QvQTr RnXzBlOanC4OHqT0dvBLMH60TsWN2ZQQ3hPInI+CAdgquDzqoZY699moo+NXZZky bB12A/9aI83jzl8gX7j61hkdk97rL/tcrdp8nGe2mS7y6tLodh89kp0IAD3Cn9pu bQpEVMSIAO6ocMIMa6IhiSW+axKcW44JaOXtxFhLi9RDnGhds9LKPSB+Qoyfpxkk zcAjNFcR2tDMOaDD5+/cZHSfKhT6TuWiiAzhhZEw3ikBnhCQYLQtVGhvbWFzIExl b25hcmQgPHRhbDE5N0B1c2Vycy5zb3VyY2Vmb3JnZS5uZXQ+iFkEExECABkFAj1J RcEECwcDAgMVAgMDFgIBAh4BAheAAAoJEK4HgoBZpTzBvdUAoMYjTfjeiOLyBF+V 6tm/8Da/VIS2AKDXlYeko8yY/DMZDy9uLrmlrOLYmrkBDQQ9SUXGEAQA40HXju3P alvuv73gX0PcNC1lVTE3X15DTdvQLCCCt0H62A73i22c80CfGj3LaVybOHPjuM2/ phu69zf5S3wHFJXYzezkVO7Yf/0MRyQslviy/+pWdbBJnVaE+qF3wggvcHIddatd roJ7q1haFl+cmIf43+EqoDZWVtKejSyeuGsAAwUEAOIrD9sPoing4huSDDgNJ9bo DbG3YkT9GROZ2FMdz12pwjUvSSxa8Yh4zJQ1EkKprSCD7QZMu9FMudzuwHZweJN1 OhG+amFSsHmYl4Cbql9401lZvpvWoBhi54eKGMaxDNIGyojWJD8FTiC2eUrMwu3G rXu8m0nbaNiXL88Kv6EHiEYEGBECAAYFAj1JRcYACgkQrgeCgFmlPMHF8ACfehcT YkxNRG4ozQP5gwBO8CDdGVAAn0P7xyghEym4gcy7/rvwkY7JIar5 =wks3 -----END PGP PUBLIC KEY BLOCK-----